Defeating Apple’s Touch ID: It’s easier than you may think

The hack using lifted fingerprints is easy; here's how you can make it harder.

This weekend's decisive defeat of Touch ID is the most poignant reminder yet of the significant limitations of using fingerprints, iris scans, and other physical characteristics to prove our identities to computing devices. As previously reported, a team of German hackers who have long criticized biometrics-based authentication bypassed the new iPhone feature less than 48 hours after its debut.

Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5S wouldn't be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It's now clear we were wrong. Hacker Starbug overcame the purported ability of Touch ID to read prints at a sub-epidermal level by using a slightly higher resolution camera to generate a cloned fingerprint. The availability of a laser printer also seemed to help.

Some critics have castigated the technique as too difficult for the average hacker. Others have argued that the hack has little significance in the real world. They cite Apple talking points that the protection of Touch ID represents a significant improvement over what many people have now, since a large percentage of iPhone users currently use no PIN at all to lock their phones. There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all. But as Rob Graham, CEO of penetration testing firm Errata Security makes clear, Starbug's technique is easy for many people to carry out.

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—you just need to try."

As Ars pointed out last week, there's little we can do to keep our fingerprints and other physical characteristics private. They leak every time we touch a door knob, wine glass, or ATM. And that calls into question whether Touch ID is a truly "secure" way to unlock phones, as Apple's own press release announcing the new feature claimed. That's not to say there aren't things people can do to limit the leakage, though.

Graham is one of the organizers behind istouchidhackedyet, a bounty program that pledged cash bounties to the first person who could override the new feature, which allows people to unlock their iPhones using one or more fingerprints. He told Ars that he's still waiting to see a detailed video that documents the hack from start to finish, but at this point he's satisfied that Starbug has met the requirements for the cash prize. He estimated the amount at about $10,000, after at least one of the people who pledged a bounty reneged on the promise.

As Ars pointed out last week, the security of iPhones would improve dramatically if Apple allowed users to unlock iPhones only after producing a valid PIN and fingerprint. This would make the iPhone a truly two-factor device, and Apple's decision not to provide the option is a missed opportunity. Given Apple's long history of removing clutter from menus and user interfaces, it seems unlikely that this option will ever be available.

For those who continue to use Touch ID, Graham suggested a simple step for minimizing the success of Starbug's attack: use only pinky or ring fingers to unlock your device. He said most prints left on glasses, iPhone screens, and other surfaces are from thumbs and index fingers. Enrolling a pinky or ring finger won't completely foreclose attacks like the one developed by Starbug, but it will require an attacker to work much harder to succeed.

Promoted Comments

How fresh was the fingerprint - Apple claims TouchID gets better at discerning your finger print with each use. I'm curious if this only fools Touch ID because it was a newly registered finger; as opposed to fooling TouchID after a fingerprint been used for a week, month, year. Time will tell. Still better than not having any security at all.

Any sufficiently determined attacker can crack 4-digit PIN codes as well. All they need to do is stealthily shoulder-surf as you type it in. Touch ID works better against average thieves than a PIN, as a thief needs to spend time taking a high resolution photo of your fingerprint, touching up the photo, getting to a laser printer, applying the latex, and letting the latex film settle. That gives the victim some time to remotely disable their phone from the Find My iPhone app.

Yes, it's true that a thief can perform these steps before stealing the phone, but that's a targeted attack. And with mobile devices, all bets are off in targeted attacks.

On the other hand, they can unlock your phone using TouchID without ever looking over your shoulder or figuring out your password. Your fingerprint is likely all over the screen, so if they want in, they just swipe your device immediately and go to work.

I don't understand this reaction to a fingerprint sensor not being perfect. Isn't that obvious? If apple had invented a perfect fingerprint sensor then a lot of three letter agencies would have been interested.

A lot of this seems to me to be missing the point. This was intended to be an easy and convenient way to secure a phone that otherwise would not have been secured. Loads of people do not bother with a PIN, and even then tend to use short four digit pins which are as dubious as a touch sensor. To me, anything that persuades more people to at least lock their phone is a win.

Having said that, the apple marketing could have done a better job at communicating this, and I sorely wish there was an option for two factor authentication all the time, rather that just at restarts.

Apple fudged the marketing and implementation of the fingerprint reader. I think it's fair to complain at this point, especially with solid evidence in hand of what everyone who knew anything about fingerprint scanning tech already suspected: that for all they dressed it up, this was not substantially better than any of the other easily beaten consumer grade fingerprint tech.

If they hadn't sold it as some amazing and perfectly secure thing (Apple really played it up quite a bit), there would have simply been statements of "well of course it's hackable, but it's better than swipe to unlock at least, and the newer tech at least makes it more difficult to hack than just using a piece of tape" and it would have been left at that.

Apple shot their own foot on this one, honestly. They were practically ASKING for someone to demonstrate a hack and in turn to have a big deal made of it. Especially by not having 2 factor as an always available option (or even via time-out as suggested above).

If I have sufficient access to take a high res picture of someone's fingerprint and duplicate it, then I have sufficient access to record that person entering their PIN with a buttoncam, camera in the frame of my eyeglasses, or even just holding up my camera and seemingly recording a video of a party while I'm actually capturing someone unlocking their phone.

Touch ID is no less secure than a 4 digit PIN code and this "hack" is the very definition of social engineering.

So you think that taking a used glass at a bar is at the same level of difficulty as actively recording video of a person's fingers, at the right angle, while they unlock their phone? Cameras can be used to record pins at an ATM bu its harder to use one when the target is mobile, and typing on a handheld screen. Fingerprints are everywhere - it's one of the first things forensics investigators look for at a crime scene.

Couldn't this go both ways. couldn't you create a fake fingerprint this same way and put it on your finger only to unlock the phone. That would sound pretty secure to me. Now they would have to pickpocket me and take my phone. If you are looking for hard core security you should be thinking outside of the box just like the hackers. This idea is not about making your phone fort knox. It's about making your phone secure enough while it's sitting on the table with your wifes birthday gifts web page open and you had to make an emergency bathroom break.

You people are obviously doing things much more interesting or more legally questionable than I am if you are so worried about your data that you feel the need for a unbreakable password. Also you must be a little bit dumb to have all of your most secret data in plain text and accessible with only the password that unlocks your phone.

One thing that everyone is forgetting here is that the iPhone 5S screen is coated with the same oleophobic material that all recent iPhones have. While the coating does wear off eventually (the 4S that I replaced was horrible for fingerprints after the first year of use), I have been unable to deliberately leave a fingerprint on my 5S screen despite multiple attempts. Granted, it's not a perfect solution, but it's not as bad as the image from the article would imply.

The article is poor for several reasons including about the effort it takes to get a good, clear fingerprint from a phone, and the time it takes to create an accurate latex copy of the print which can fool the sensor. The thief only has 48 hours to fool the sensor and then only the password can unlock the phone.

* It should be remembered that the CCC in their video did not show the full time of the stunt from where the print came from, was the iPhone being used as a regular phone, and how much time it took to make the latex fingerprint copy. - Now if Ars wants to do a test on the iPhone 5S fingerprint sensor, to produce transparent/timed results, then I'd welcome it.

* Instead Dan Goodwin counters the effort and time problem of making accurate latex fingerprints by posting this unuseful speculation.

Quote:

Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—

In reading this a lack of logic comes to mind. - If a kid, who is a criminal, has access to my home (I assume while I'm away), then getting my fingerprints and making latex copies is not the "easy, easy, easy" thing to do. - I have a friend who left his two teenage daughters home while he went on a trip with his wife. He returned to a house that had been looted of all electronics (because of a party that got out of hand).- Another friend of mine was on his honeymoon and he returned to a house that had all his wedding presents stolen. He had people staying over night but they left the day he returned and that's when the theft took place.

The obvious thing I'm bringing up here is the possibility of rampant stealing at a person's home. And it not only can involve personal belongings but can include the stealing of mail (account statements), check books, the finding of Social Security numbers and the looting of bank/brokerage accounts.

If a criminal has access to my house for months, then a latex copy of my fingerprints is the least of my worries.

* Of course I realize that this is an article about Apple and so, I expect far fetched criticism.

Considering the new device had been out for under 48 hours when the exploit was published ... and they obviously needed time to actually get one, bring it home and work with it a bit ... isn't the question of how long this takes pretty much moot? The initial unskilled proof-of-concept was unequivocally completed and published within the timeout period from the device's release. The "it's too slow to really work" ship has already sailed. With practice and refinement, it only gets faster.

I'm not sure why you think it takes months of access for someone to squirt a bit of graphite on any number of surfaces and snap a photo with their iPhone (which is certainly hi-res enough for the job) when a mere overnight visit provided more than enough opportunity to clean out an entire wedding's worth of bulky gifts; which seems a much more difficult exploit in almost every respect. It may be the least of your worries, but if you are in the process of being completely robbed, why would you want to top it off by creating a situation where a digital copy of your fingerprints has been elevated in value to the point of being worthwhile to potentially steal also?

And while we're playing the logic game, it bears mentioning that kids hack devices for all sorts of reasons and often don't view themselves as criminals per-se ... one who's the sort to pwn your iPhone is probably not the same sort who would flat-out steal and pawn it. Simply put, the existence of lions does not mitigate the dangers posed by the tigers and bears. Oh my.